[jcifs] Re: Authentication via SmbSession.logon

Michael B Allen mba2000 at ioplex.com
Fri Apr 15 18:06:57 GMT 2005

On Fri, 15 Apr 2005 08:06:12 +0000 (UTC)
Esteve Boix <esteveb at gmail.com> wrote:

> > But I think I see the problem. The AccountName field has MACH\name which
> > leads me to believe you are using
> > smb://MACH\\name:password <at> server/share/path/. The account name
> > cannot have a backslash in it. That is not a valid character in a URL.
> > The 'MACH' part is the domain.
> You are absolutely and completely right. Problem solved.
> Now I'm using NtlmPasswordAuthentication, but I guess it's as safe as
> using the URL, since the password travels also through the network

No, the password is never transmitted in plain text [1]. The issue is
that URLs are frequently visible to application users, within logfiles,
in exceptions, etc. It is better to hide the password in the NPA. Of
course it has to come from somewhere but at least you can isolate it in
a file or enter it once using a dialog.

In 2.0 we hope to convert entirely over to Kerberos which is a little
better about this problem - once the user runs kinit the ticket is cached.
For daemons one can use renewable tickets. Etc.


[1] unless you set disablePlainTextPasswords=false

IRC - where men are men, women are men, and the boys are FBI agents.

More information about the jcifs mailing list